• Collect network-based evidence.
• Analyze Alert, statistical and session network-based evidence
In order to complete the lab, you will first have to install or download the following. (Note: If you are using Ubuntu/backtrack, you can use the apt-get install command to install the following.)
At least one screenshot for each tool which has your uid in the shot.
• Tcpdump (Kali)
• snort (Kali)
• tcpflow (apt-get install tcpflow)
• xplico (apt-get install xplico) (no worries if this doesn’t work, just try it)
• ngrep (apt-get install ngrep)
• Splitcap or editcap
• hd (Kali)
• Network Miner
• CapTipper (show some sites visited)
• Tshark (find out how many packets are in the pcap using tshark)
After reviewing Chapter 11 + slides. Collect the network-based evidence requested above. You will collect information from a file given to you from the instructor.
After doing the investigation you should be able to answer the following questions.
1. What is the most popular port used?
2. What are the ip addresses involved?
3. Name at least one executable file that was transferred
4. What did that file do?
5. Did your IDS find anything. If yes explain what?
6. Please re-create at least one website found and give a screenshot or show all the html for one site
7. What attacks occurred?
8. What applications were used for the attack?
9. Paragraph synopsis of what you think happened based on the evidence you have accumulated
Evaluation (12 Marks)